All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Citrix xenapp Missing some data

a026399
Explorer
‎12-18-2013 08:44 AM

I have a Xenapp 6.5 Farm. PowerShell 2.0 with remote execution set on all servers. I am not getting any data in the following areas. We are running splunk version 6.0 and I have the latest forwarder on all the servers.

Server Performance
Zone Data

Also when I run go into maintenance and do a rebuild zone farm look up I get the following error
Could not write to file 'xa_zone_farm.csv': Failed to move file to final destination.

Any help with this would be very appreciated.

Reply

helge
Builder
‎06-10-2015 08:50 AM

The reason why this is happening is most likely the bug SPL-40332 described here. Apparently it only affects Splunk running on Windows. Unfortunately this is still not fixed in Splunk 6.2.3.

Reply

lbenjaminvoigt
Explorer
‎07-16-2015 12:10 PM

Not fixed in 6.2.4 either. I'd really like to see the distribution of enterprises using Linux OS for Splunk architecture vs. Windows. Curious why this hasn't been addressed in multiple releases considering the implications of not being able to overwrite CSV lookup files on a schedule as the lookup tables get new data.

The only workaround I've found is restarting splunkd. Apparently it keeps a lock on the csv file that's to be overwritten until the service restarts.

Reply

bravon
Communicator
‎11-18-2014 08:11 AM

I have the same problem. Building the 3 other lookups goes fine, but the "Host to Farm" gives this error.
I can see that it is writing a .tmp file to the same directory before it returns the error.

It also creates the file if you delete it. The only problem seems to be updating the current file, and the permissions seems ok.

The TMP-file:
alt text

The Error:
alt text

Permissions:

D:\Splunk\etc\apps\TemplateForXenApp\lookups\calendar_users.csv
  RW NT AUTHORITY\SYSTEM
  R  Everyone
  RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\citrix_license_product.csv
  RW NT AUTHORITY\SYSTEM
  R  Everyone
  RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\citrix_license_type.csv
  RW NT AUTHORITY\SYSTEM
  R  Everyone
  RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\ica_devicetypes.csv
  RW NT AUTHORITY\SYSTEM
  R  Everyone
  RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\lookup_farms.csv
  RW NT AUTHORITY\SYSTEM
  R  Everyone
  RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\lookup_host_farm.csv
  RW NT AUTHORITY\SYSTEM
  R  Everyone
  RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\lookup_pubapp.csv
  RW NT AUTHORITY\SYSTEM
  R  Everyone
  RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\lookup_service_groups.csv
  RW NT AUTHORITY\SYSTEM
  R  Everyone
  RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\winHosts.csv
  RW NT AUTHORITY\SYSTEM
  R  Everyone
  RW BUILTIN\Administrators
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

a026399
Explorer
‎12-18-2013 09:54 AM

Thanks for the quick reply. Do you mean the service account in the index server or on the xenapp server that has UF installed?

Thanks

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎12-18-2013 08:47 AM

The error you are getting means the service account that Splunk is running as does not have write access to c:\program files\splunk\etc\apps\SplunkAppForXenApp\lookups

0 Karma
Reply

bravon
Communicator
‎11-18-2014 08:12 AM

I have the same problem. Building the 3 other lookups goes fine, but the "Host to Farm" gives this error.
I can see that it is writing a .tmp file to the same directory before it returns the error.

It also creates the file if you delete it. The only problem seems to be updating the current file, and the permissions seems ok.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎02-10-2015 03:42 PM

This only happens when Splunk is running on a Windows platform. As stated above, the lookup generates a temporary file and then tries to move it to the final file. TRANSFORMS.CONF is blocking this from happening. I just updated the XenApp template on apps.splunk.com with a workaround that should resolve the issue.

0 Karma
Reply

bravon
Communicator
‎02-11-2015 05:21 AM

I will give the new app a try when I find the time.
For your information I have found a similar wierd permissions-issue (On windows) which is explained here: http://answers.splunk.com/answers/215816/after-upgrading-splunk-app-for-microsoft-exchange.html
I will use the ProcMon approach on the Citrix-app also, and post updates here.

0 Karma
Reply

a026399
Explorer
‎12-20-2013 01:36 PM

It is not set to read only.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎12-18-2013 10:05 AM

Make sure the folder is not set to read only as well.

0 Karma
Reply

a026399
Explorer
‎12-18-2013 10:03 AM

I checked on my XenApp servers and the Forwarder run as Local system. The folder mentioned above has system set as full control.

0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎12-18-2013 09:57 AM

The account on the index. Basically, that rebuild zone farm lookup search builds a lookup table that is stored on the indexer.

0 Karma
Reply

a026399
Explorer
‎12-18-2013 09:54 AM

Thanks for the quick reply. Do you mean the service account in the index server or on the xenapp server that has UF installed?

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...